Security Acls; Understanding How Dos Protection Works - Cisco 7604 Configuration Manual
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Understanding How DoS Protection Works
Tip
For additional information (including configuration examples and troubleshooting information), see the
documents listed on this page:
http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html
Understanding How DoS Protection Works
The following sections contain an overview of the DoS protection on the Cisco 7600 series router and
describe some types of DoS attack scenarios:
•
•
DoS Protection with a PFC2
This section contains information about the available methods to counteract DoS attacks with a PFC2
and includes configuration examples. The following sections describe these protection methods:
•
•
•
•
•
•
•
Security ACLs
The Cisco 7600 series router can deny DoS packets in hardware using security access control lists
(ACLs). Security ACLs are applied in hardware using the TCAM to traffic that can be easily identified
using Layer 3 or Layer 4 data. You can apply security ACLs preventively before a DoS attack occurs or
after an attack has been identified.
This example shows how a security ACL is used to drop DoS packets:
Router# clear mls ip mod 9
Router# show mls ip mod 9
Displaying Netflow entries in module 9
DstIP
--------------------------------------------------------------------
Pkts
---------------------------------------------------
192.168.0.0
1843
192.168.1.0
2742416
Router# configure terminal
Enter configuration commands, one per line.
Router(config)# no access-list 199
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
36-2
DoS Protection with a PFC2, page 36-2
DoS Protection with a PFC3, page 36-10
Security ACLs, page 36-2
Security ACLs, page 36-2
QoS ACLs, page 36-3
FIB Rate Limiting, page 36-4
ARP Throttling, page 36-5
uRPF Check, page 36-5
TCP Intercept, page 36-6
SrcIP
Bytes
Age
192.168.1.0 0
84778
2
192.168.0.0
126151136
2
Chapter 36
Prot:SrcPort:DstPort
LastSeen
Attributes
:0
:0
0
: 0
02:30:17
L3 - Dynamic
0
:0
:0
02:30:17
L3 - Dynamic
End with CNTL/Z.
Configuring Denial of Service Protection
Src i/f:AdjPtr
0
: 0
<== Note: traffic flow identified
OL-4266-08
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
